CVE-2026-33503

Name of the Vulnerable Software and Affected Versions Ory Kratos (affected versions not specified)

Description The ListCourierMessages Admin API in Ory Kratos is susceptible to SQL injection because of issues in its pagination implementation. Pagination tokens are encrypted using a secret configured in secrets.pagination. An attacker who knows this secret can create their own tokens, including malicious ones that result in SQL injection. If the secrets.pagination configuration value is not set, Kratos uses a default pagination encryption secret, which is publicly known, allowing attackers to generate valid and malicious pagination tokens. An attacker can execute arbitrary SQL queries through forged pagination tokens. The issue can be exploited if the ListCourierMessages API is accessible to the attacker and they can pass a raw pagination token to the affected API.

Recommendations Immediately configure a custom value for secrets.pagination by generating a cryptographically secure random secret, for example, using the command openssl rand -base64 32. Upgrade Kratos to a fixed version as soon as possible.